Memorizing passwords to websites

Hi. How to memorize passwords for different websites? I know one can associate a password with the icon thats in the website and I can imagine all kinds of things necessary for memorization, but still it does require writing down the password somewhere in a notebook just in case one forgets, no? Also, one must plan when to repeat the images that correspond to the password if he were to visit that website irregularly, no?

Lets start by one of the most overused advices on passwords out there:

Never use the same password for multiple websites

Simply put, ignore that advice. Just ask yourself, would you mind if someone managed to hack this account? if not, go ahead and reuse a password. For most forums I use the same password, the only ones that get a different one are the websites where my account could do harm if someone got access, but for casual accounts I just have standard passwords. So if you get my password for a dog forum, you also get my password for a turtle forum. Good for you.

But you want to know what to do if you do need different passwords. What you can do is create a system that allows you to turn letters, numbers and symbols into images. A modified PAO or even a story could already do this if you have abstract passwords like aFG14F!ga=$21 or something like that. You end up with a few images, but it works. If they get too long however, you increase the risk of forgetting something.

Some people prefer passphrases, which can become a story. [email protected]#4Of$5Cards% or whatever. Passphrases are generally safer than passwords. When testing the two examples I have given here, the passphrase was rated almost 3 times stronger than the shorter but more random code. Even a simpler ‘1ArtMemorizedDecksOfCards!’ was already 2 times stronger. As for memorizing, you already got an image in the phrase itself.

If you still feel that is too much risk of forgetting, you can always make a mental algorithm that encodes the name of the website into a password. That way you only have to memorize the algorithm and you can use that to recreate the password whenever you need to. After using it for some time, you won’t forget it too quickly.

You can make it as fancy as you like. You can make it as paranoid-proof as you like. In the end, a regular person only has a handful of passwords that really matter though.

I forget where I read this idea. I haven’t used it, but I thought it was pretty clever.

Find any book, flick through and find the first sentence on one of the pages. You use the first letter of each word of the sentence to make the password. Look for one with a couple of capital letters and numbers in (use the first digit of each number).

The idea is to learn that sentence well enough to get all the words right. Then you have a fairly secure password, reasonably easy to remember, and a backup system.

My extension to that thought was you can use any sentence if you get a pencil and underline it, or put an arrow to it in the margin, and perhaps write the number of the page on the inside cover. Then your backup is just to find the right book, go to the page, find the sentence and use it.

It means you can take your time memorising it, and instead of thinking hard trying to invent one, you can just flick through one of your books.

It gives you a few options:

  • You can memorise the sentence, so you know the password.
  • You can just memorise which book, and look it up when needed if you’ve written in it.
  • If you use one large book, you just need page numbers. If you’ve got a 3-digit system, you can easily mentally store a list of them, or attach that one image to the website logo to remind you where to find it. Easy to review!

A PDF book would make it easy to reference when doing things online or on a smartphone, should you get stuck or need to check during a review, perhaps with a text file of page numbers or an image list, if you can’t highlight the PDF.

As I said, I’ve not tried it, but it seems fairly robust unless you own very few books! :slight_smile:

Thanks. Sound awesome!

I use a password database. It makes it very easy to have secure passwords, or spend a bit more time and make your own secure and memorable “correct horse battery staple” passwords, and it doubles as a searchable list of websites I have accounts on. Then you can memorize the ones which you use more often, but everything’s there if you need it.

Snippet of the memorisation bit of this post:

"So let’s go straight into memorisating that ‘salt’. This could be as short as 1 digit and it would still be a lot more protection that using a password manager without any salt because of the way hashing works AFAIK. That said, it would be good to have say, 2-4 things that are QUICK to TYPE.

So how do we go from the website address to something we memorise that has 2-4 unique aspects? The problem is that we don’t want to just add on the website name to the password - that’s too obvious. But at the same time we need it to be a consistent process. We could use the major system to convert the website name to a set of numbers but that’s so well known. I think we need a formula but it should be fast as we already have a lot of protection.
What are you thoughts? “”

Rest of post:

This is a great question to ask because it exercises so many aspects of memorisation.

First thing, how far to go with the memorisation part and how much to let technology handle it?

You can

  1. store ALL of it in a password manager.

  2. store it all but then ‘salt’ a small portion with your own memorised portion or you can

  3. memorise and retype every password all of the time.

I think (2) is best.

There’s also 2 factor authentication to think about. Don’t use SMS as that has the suprisingly common risk of someone hacking and porting your number out. This happened to me.

A second factor could be a mnemonic formula but that’s more work and not supported by websites as far as I know.

I think option (2) SALTING is the best, to use a password manager but add your own mnemonically remembered sequence onto the end of each password. Then secure what you can (especially the password manager itself) behind 2 factor auth like Google Authenticator but print off the 2 factor QR codes as a backup and store in a safe. You can’t do this with a hardware key like Yubikey.

This way, if the passwords from your password manager gets leaked like LastPass did, the attackers won’t be able to login to any of your accounts because the salt is still in your head. Further, attacters won’t be able to keylog you as you login to the password manager because you’re using that 2nd factor to login. At the same time, you’ve reduced your typing by using the password manager.

So let’s go straight into memorisating that ‘salt’. This could be as short as 1 digit and it would still be a lot more protection that using a password manager without any salt because of the way hashing works AFAIK. That said, it would be good to have say, 2-4 things that are QUICK to TYPE.

So how do we go from the website address to something we memorise that has 2-4 unique aspects? The problem is that we don’t want to just add on the website name to the password - that’s too obvious. But at the same time we need it to be a consistent process. We could use the major system to convert the website name to a set of numbers but that’s so well known. I think we need a formula but it should be fast as we already have a lot of protection.
What are you thoughts?

By the way, I had a number of accounts hacked recently. None of them were in any breach and used long passwords with an estimated crack time of many decades. Even a memory champion would lose a lot of time typing in passwords this long so I agree that passphrases are the best way if you want to keep having to type them all in manually.